Stack Overflow
Stack Overflow

Questions tagged [restful-authentication]

Questions about authentication for RESTful services.

Services designed using REpresentational State Transfer architecture must often authenticate clients. How best to do this can be a complex topic, as in true REST each client request to the server will contain all the information necessary to complete it (including authentication).

Resources

1447 questions
792
votes
14 answers

RESTful Authentication

What does RESTful Authentication mean and how does it work? I can't find a good overview on Google. My only understanding is that you pass the session key (remeberal) in the URL, but this could be horribly wrong.
Jim Keener
  • 9,255
  • 4
  • 24
  • 24
557
votes
9 answers

Do sessions really violate RESTfulness?

Is using sessions in a RESTful API really violating RESTfulness? I have seen many opinions going either direction, but I'm not convinced that sessions are RESTless. From my point of view: authentication is not prohibited for RESTfulness (otherwise…
deceze
  • 510,633
  • 85
  • 743
  • 889
190
votes
5 answers

What's the appropriate HTTP status code to return if a user tries logging in with an incorrect username / password, but correct format?

A similar question is posted here: What's an appropriate HTTP status code to return by a REST API service for a validation failure? The answer in the thread above states that "For instance if the URI is supposed to have an ISO-8601 date and you find…
SilentDev
  • 20,997
  • 28
  • 111
  • 214
173
votes
8 answers

Basic HTTP and Bearer Token Authentication

I am currently developing a REST-API which is HTTP-Basic protected for the development environment. As the real authentication is done via a token, I'm still trying to figure out, how to send two authorization headers. I have tried this one: curl -i…
Azngeek
  • 2,183
  • 2
  • 16
  • 21
155
votes
4 answers

Should JWT be stored in localStorage or cookie?

For the purpose of securing REST API using JWT, according to some materials (like this guide and this question), the JWT can be stored in either localStorage or Cookies. Based on my understanding: localStorage is subjected to XSS and generally it's…
pkid169
  • 2,240
  • 2
  • 15
  • 22
140
votes
11 answers

Token Authentication for RESTful API: should the token be periodically changed?

I'm building a RESTful API with Django and django-rest-framework. As authentication mechanism we have chosen "Token Authentication" and I have already implemented it following Django-REST-Framework's documentation, the question is, should the…
nemesisdesign
  • 8,159
  • 12
  • 58
  • 97
126
votes
6 answers

Are there any disadvantages to GraphQL?

All the articles about GraphQL will tell you how wonderful it is, but are there any disadvantages or shortcomings to it? Thank you.
Dr.Nemo
  • 1,451
  • 2
  • 11
  • 15
119
votes
9 answers

RESTful web service - how to authenticate requests from other services?

I am designing a RESTful web service that needs to be accessed by users, but also other web services and applications. All of the incoming requests need to be authenticated. All communication takes place over HTTPS. User authentication is going to…
Tommi
  • 8,550
  • 5
  • 32
  • 51
117
votes
8 answers

passport.js passport.initialize() middleware not in use

I am using node with express + mongoose and trying to use passport.js with restful api. I keep getting this exception after authentication success (I see the callback url on the…
Naor
  • 23,465
  • 48
  • 152
  • 268
115
votes
4 answers

How to use jti claim in a JWT

The JWT spec mentions a jti claim which allegedly can be used as a nonce to prevent replay attacks: The "jti" (JWT ID) claim provides a unique identifier for the JWT. The identifier value MUST be assigned in a manner that ensures that there is a…
nw.
  • 4,795
  • 8
  • 37
  • 42
114
votes
2 answers

API Keys vs HTTP Authentication vs OAuth in a RESTful API

I'm working on building a RESTful API for one of the applications I maintain. We're currently looking to build various things into it that require more controlled access and security. While researching how to go about securing the API, I found a few…
Shauna
  • 9,495
  • 2
  • 37
  • 54
100
votes
6 answers

REST authentication and exposing the API key

I've been reading up on REST and there are a lot of questions on SO about it, as well as on a lot of other sites and blogs. Though I've never seen this specific question asked...for some reason, I can't wrap my mind around this concept... If I'm…
tjans
  • 1,503
  • 2
  • 16
  • 26
98
votes
2 answers

What is the difference between JSON Web Signature (JWS) and JSON Web Token (JWT)?

I've been coding a RESTful service in Java. This is what I've understood till now: Token authorization is done using JSON Web Tokens (JWT) which have three parts: the header, the payload, and the secret (shared between the client and the server). I…
leo
  • 1,423
  • 2
  • 14
  • 23
88
votes
3 answers

How to secure RESTful web services?

I have to implement secure RESTful web services. I already did some research using Google but I'm stuck. Options: TLS (HTTPS) + HTTP Basic (pc1oad1etter) HTTP Digest two-legged OAuth a Cookie-based approach client certificates (Tom Ritter and…
Jan Deinhard
  • 19,645
  • 24
  • 81
  • 137
80
votes
6 answers

How do I implement login in a RESTful web service?

I am building a web application with a services layer. The services layer is going to be built using a RESTful design. The thinking is that some time in the future we may build other applications (iPhone, Android, etc.) that use the same services…
Corey Burnett
  • 7,312
  • 10
  • 56
  • 93
1
2 3
96 97